Dropbox confirms it got hacked, will offer two-factor authentication

Spammers used stolen password to access list of Dropbox user e-mails.

A couple of weeks ago Dropbox hired some "outside experts" to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee’s account was hacked, allowing access to user e-mail addresses.

In an explanatory blog post, Dropbox today said a stolen password was "used to access an employee Dropbox account containing a project document with user email addresses." Hackers apparently started spamming those addresses, although there’s no indication that user passwords were revealed as well. Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," the company said.

Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.

Dropbox has also set up a new page letting users view all the active logins to their accounts, and said it is planning "new automated mechanisms to help identify suspicious activity." At any rate, users may want to think about examining more secure alternatives, encrypting their files, or simply not storing ultra-sensitive information in Dropbox. You may recall that one year ago, a Dropbox screwup left all user accounts unsecured and accessible with any password for four hours. These mistakes haven't led to major problems for users that we know of just yet, but they don't inspire much confidence in Dropbox's security systems.

Promoted Comments

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

This is interesting. I would have said the latter, because of this Dropbox quote in the blog post we linked to: "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts."

However, since you said you have a Dropbox-unique password, that can't be the explanation. I am a Dropbox user and didn't get such an email. So, I don't know the answer.

The email actually said no malicious activity was detected with my account; however that seems contradictory to their blog post.

57 Reader Comments

Still have more faith in Dropbox than in some home-grown intranet system.

If nothing else, Dropbox has teams of people to fix things at this point. I shudder to think of the exposure of some of the businesses I've seen, and how long it would take to clean up from something like this.

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

This is interesting. I would have said the latter, because of this Dropbox quote in the blog post we linked to: "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts."

However, since you said you have a Dropbox-unique password, that can't be the explanation. I am a Dropbox user and didn't get such an email. So, I don't know the answer.

The title is misleading. Dropbox didn't get hacked, an employee at Dropbox got hacked (his account details were in a stolen database elsewhere) and that was used to gain access to a file that has a list of customers that was later spammed. Two different things and regardless of both, Dropbox is learning and taking steps to improve itself further.

an employee at Dropbox got hacked (his account details were in a stolen database elsewhere) and that was used to gain access to a file that has a list of customers that was later spammed.

Actually, Dropbox didn't say how that employee password was stolen.

Quote:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

Many breaches are the result of a single employee screwing up. That doesn't change the fact that sensitive customer information was stolen from a Dropbox system.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

Many breaches are the result of a single employee screwing up. That doesn't change the fact that sensitive customer information was stolen from a Dropbox system.

What *many* breaches are you talking about? A small group of customers got spammed( they didn't get hacked nor have their data breached, the project file only have email addresses and nothing else), which can happen anywhere. Another group of customers failed to randomize their passwords and reused the same stolen password for Dropbox, which again can happen anywhere and not the result of this employee.

So, the only breach is that they got spammed as the result of this employee storing an unencrypted project file.

The same thing can happen to any ars employee here or any other company.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

Security is only as strong as the weakest link.

Totally agree, that applies to every security system on the planet that involves any human.

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

This is interesting. I would have said the latter, because of this Dropbox quote in the blog post we linked to: "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts."

However, since you said you have a Dropbox-unique password, that can't be the explanation. I am a Dropbox user and didn't get such an email. So, I don't know the answer.

The email actually said no malicious activity was detected with my account; however that seems contradictory to their blog post.

Two-factor authentication (at least for password or other significant account changes) and account access logs should be the minimum standard for any online resource.What's most troubling is that an employee had, even in the context of ongoing work, a list of user email addresses unencrypted in their own Dropbox.

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

I haven't received an email from Dropbox yet. But the comments on their blog post make it seem like it's a legit email. A lot of people are also upset because they are receiving the email from a dropboxmail.com no-reply email address. Seems fishy until someone did a whois lookup and found it linking to dropbox.com domain servers.

Also seems you can still use the old password even with the reset password email, according to some of the comments.

I received a password reset email from Dropbox, but had a Dropbox-unique password. Did everyone get these, was my account "compromised", or was the same email (not unique to DB) just tied to an account on a site that was compromised?

I haven't received an email from Dropbox yet. But the comments on their blog post make it seem like it's a legit email. A lot of people are also upset because they are receiving the email from a dropboxmail.com no-reply email address. Seems fishy until someone did a whois lookup and found it linking to dropbox.com domain servers.

Also seems you can still use the old password even with the reset password email, according to some of the comments.

Not sure if you can use the same password; I clicked the link from my Dropbox menu applet to open the site directly, and I changed it there.

According to this forum thread, Dropbox says that the email is legitimate. One of the posts references unhappiness with with how this has been handled but I don't know what "comments" it is referring to.

Let us face it. There is nothing secure about Public online services. It is just a huge honeypot waiting to be hacked. Try personal cloud services like Tonido or Pogo if you want to keep control over your data.

I assume any unsolicted email dealing with account information is phishing. I re-read the Dropbox email about 5 times before I decided I could trust it (I looked at the HTML to confirm the links were legit). Dropbox should have provided two clear options:

1. The You Don't Trust Us Any More Option: Go to www.dropbox.com (type it yourself) Go to login, choose "I forgot my password"

2. Ah, Bless! You Still Trust Us Just A Bit Option: Click HERE to update your password.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

Security is only as strong as the weakest link.

Dropbox will never be secure enough to house sensitive files until it switches to what Steve Gibsom calls a "trust no one" system, in which the files are encrypted with a key that ONLY the user knows. As long as Dropbox management insists on owning the keys, they will always be vulnerable to hacks, which meas they WILL BE HACKED AGAIN. Dropbox users can either switch to Spideroak, which unfortunately is not awfully user-friendly, or start using DIY encryption solutions like BoxCryptor. It's all a huge PIA and will stay that way until Dropbox bricks up its back doors to our data.

Let us face it. There is nothing secure about Public online services. It is just a huge honeypot waiting to be hacked. Try personal cloud services like Tonido or Pogo if you want to keep control over your data.

Just how good are individuals at securing their personal cloud? Also unfortunately some of those personal clouds don't have apps for a lot of platforms, just the biggest names.

It is clear from me that the a single employee got his data stolen, which doesn't place any faults on the overall Dropbox's security and still confirms the title is misleading suggesting that Dropbox overall got hacked.

Security is only as strong as the weakest link.

Dropbox will never be secure enough to house sensitive files until it switches to what Steve Gibsom calls a "trust no one" system, in which the files are encrypted with a key that ONLY the user knows. As long as Dropbox management insists on owning the keys, they will always be vulnerable to hacks, which meas they WILL BE HACKED AGAIN. Dropbox users can either switch to Spideroak, which unfortunately is not awfully user-friendly, or start using DIY encryption solutions like BoxCryptor. It's all a huge PIA and will stay that way until Dropbox bricks up its back doors to our data.

You should never assume anything outside your physical control is secure, and sometimes even then. Anything even remotely sensitive on Dropbox I keep inside encrypted DMGs.

However, since you said you have a Dropbox-unique password, that can't be the explanation. I am a Dropbox user and didn't get such an email. So, I don't know the answer.

The email actually said no malicious activity was detected with my account; however that seems contradictory to their blog post.

The blog post also said that people who didn't change their password in a long time might get the mail. That might be the reason why you (and I, for that matter), got the mail. I use a fairly complex 1Password generated password and haven't changed it since 2008.

And to answer other people's comments: No, once you log out on the website, you can't log in with your old password anymore, you need to go via the 'Forgot the password' link to set a new password.

SpiderOak is a little trickier to use for file syncing than DropBox, but mostly because the original purpose of SpiderOak is offsite backup; the file syncing is layered on top of that, so you need to define what parts of your file system are to be backed up, then select what will be synced. It's a few extra steps to set up initially, but SpiderOak is more flexible than DropBox. It's also much, much more secure, and their customer service is excellent.

However, since you said you have a Dropbox-unique password, that can't be the explanation. I am a Dropbox user and didn't get such an email. So, I don't know the answer.

The email actually said no malicious activity was detected with my account; however that seems contradictory to their blog post.

The blog post also said that people who didn't change their password in a long time might get the mail. That might be the reason why you (and I, for that matter), got the mail. I use a fairly complex 1Password generated password and haven't changed it since 2008.

And to answer other people's comments: No, once you log out on the website, you can't log in with your old password anymore, you need to go via the 'Forgot the password' link to set a new password.

I've changed mine in the past four months or so. One thing I've done is log onto a lot of new devices recently, so maybe that flagged it. Actually, hmm. I logged in via an HTC OneX on the sales floor in a cell phone store in Hong Kong to take advantage of the extra 23GB of storage. I know, the digital equivalent of staying the night with a working girl without protection... Maybe they just profile risky behaviour

Still have more faith in Dropbox than in some home-grown intranet system.

If nothing else, Dropbox has teams of people to fix things at this point. I shudder to think of the exposure of some of the businesses I've seen, and how long it would take to clean up from something like this.

Props for the proactive response, I say.

Faith from which view point? That the data won't disappear or that the data is secure from hackers?

Let us face it. There is nothing secure about Public online services. It is just a huge honeypot waiting to be hacked. Try personal cloud services like Tonido or Pogo if you want to keep control over your data.

Oh yeah? And how are these any safer? Your password is still stored on their servers.

Of course since they are closed source we can't know this for sure, but that is at least their claim. If you (Zak) have any documentation that this is not the case that would be very interesting.

You could use a packet sniffer, like Wireshark, and upload a plain text file, then inspect the packets and see if the packets include the plain text.

Sure, but that only tells you that the data that is being sent is scrambled in some way I can't figure out. There is no way to know that Wuala/SpiderOak can't decrypt it on their end. Also there is no way to know that they do in fact not know my password. I can't think of any way this could be verified beyond fully open sourcing the client.

For the average person, losing data due to disk failure is far more likely than someone hacking into dropbox to steal pictures of grandma surfing. For everyone who triple encrypts and memorizes a 20 character random password for every website they visit, then dropbox may not be for you....

I assume any unsolicted email dealing with account information is phishing. I re-read the Dropbox email about 5 times before I decided I could trust it (I looked at the HTML to confirm the links were legit). Dropbox should have provided two clear options:

1. The You Don't Trust Us Any More Option: Go to http://www.dropbox.com (type it yourself) Go to login, choose "I forgot my password"

2. Ah, Bless! You Still Trust Us Just A Bit Option: Click HERE to update your password.

Option 1 should really always be your choice. If you do that, the worst case scenario is you need to change your password again later. Clicking the link potentially opens you up to phishing. You can check the email and the link in as much detail as you want, but if you are being thorough it is quicker to pick option 1. And if you're not being thorough, you're still open to phishing.